]]>https://blogs.technet.microsoft.com/ripom/2018/04/04/high-availability-for-internet-access-using-vmss/feed/0Azure Virtual Network Service Endpoints (Preview)https://blogs.technet.microsoft.com/ripom/2017/09/30/azure-virtual-network-service-endpoints-preview/
https://blogs.technet.microsoft.com/ripom/2017/09/30/azure-virtual-network-service-endpoints-preview/#respondSat, 30 Sep 2017 09:38:37 +0000https://blogs.technet.microsoft.com/ripom/?p=446Few days ago there have been some announcements for ignite 2017 (https://azure.microsoft.com/it-it/blog/azure-networking-announcements-for-ignite-2017/).

It’s exciting opportunity for Microsoft continue to grow in the cloud and it’s a fantastic momentum for consultants and architects to try new features that can simplify our life.

One specific announcement, took my attention. Azure Virtual Network Service Endpoints (Preview), then I decided to try it and report here some experience.

First of all, this is a feature preview on Azure Storage (the one I tried) and Azure SQL Database. It’s a way to protect Service Endpoint to allow private virtual network traffic and to deny Internet Facing IP traffic.

For many of our customers, data breaches remain a top concern. It’s very hard to convince some customers to move their business-critical data to the cloud. Storage Account (it values for other Azure Services too) have Internet-reachable IP addresses and potential can suffer of threats like leaked credentials. Most customers want limit access to this kind of resources to only their Azure Virtual Networks or on-premises.

Have you ever used Service Map solution in Log Analitycs to monitor VMs with public IP? You can see how many foreign public IP try to connect to SSH or to RDP port by Internet.

Azure Virtual Network Service Endpoints (Preview) feature, right now, it’s available only in these regions:

VNET e Azure Service can be in different subscription but must be in the same AD tenant (it’s not clear yet if this limitation is only in preview)

Be carefull, If you still use VM with unmanaged disk, Backup of unamanged disk is not supported during the preview.

Good news, this feature is free, infact there is no additional charge for using service endpoints. The current pricing model for Azure services (Azure Storage, Azure SQL Database) applies as-is today.

There is no limit on the total number of service endpoints in a virtual network, but Azure Storage account services may enforce limits on the number of subnets used for securing the resource. Refer to the documentation for various services in Next steps for details.

After Storage Account creation, I could access to the settings by the tab Firewalls and virtual network of Storage Account blade.

After have clicked on this tab, I could find the Service Endpoint settings and I created more Service Endpoints.

In this case I enabled 2 VNETs and in the first VNET I enabled 3 subnets.

Remember, by enabling a Service Endpoint for Azure Storage within the Virtual Network, traffic is ensured an optimal route to the Azure Storage service. The identities of the virtual network and the subnet are also transmitted with each request. Administrators can subsequently configure network rules for the Storage account that allow requests to be received from specific subnets in the Virtual Network.

SCENARIO

I tried a very interesting scenario.

Map network share from VM connected on VNET and denying access to share from internet.

The steps to follow for the lab are:

Configure the Storage Account allowing access to only VNET and Subnet where VM is attested

Connect the VM to the share with the NET USE command, as shown in the following figure.

Verify with the NETSTAT Command that the connection is actually established and note that the storage account endpoint is always a public IP, but traffic runs only through the Microsoft backbone and not through the Internet.

To verify that access to the share is blocked via the Internet, just try to connect the same share from a different VM that does not belong to the VNET with Service Endpoint enabled, in this case the test was done from my on-premises workstation. As shown in the picture, you get access denied.

REMEMBER

Network rules are enforced on all network protocols to Azure storage, including REST and SMB. Access to your data from tools like the Azure portal, Storage Explorer, and AZCopy require explicit network rules granting access when network rules are in force.

Infact after disabled Internet Access to the Storage Account, I tryed to browse Blob Service or File Service and I got an unbelieveble Access Denied in the portal.

Don't worry, it's easy to get rid of this problem. You need to add your client IP address (the browser accesses to the storage account) in the Firewall and virtual networks.

]]>https://blogs.technet.microsoft.com/ripom/2017/09/30/azure-virtual-network-service-endpoints-preview/feed/0Azure Import/Export data and Amazon Snowballhttps://blogs.technet.microsoft.com/ripom/2017/02/05/azure-importexport-data-and-amazon-snowball/
https://blogs.technet.microsoft.com/ripom/2017/02/05/azure-importexport-data-and-amazon-snowball/#commentsSun, 05 Feb 2017 15:39:42 +0000https://blogs.technet.microsoft.com/ripom/?p=275In the last days, I started to work on a Azure Import/Export data project.

My Customer has some TB of data to transfer in Azure.

After severalattemptstotransferdatafrom the Internet,they gave upand beganto think to use thisAzurefeature.

WAImportExport: This is a client tool that you install on a local host computer to allow you to transfer data from onpremises to cloud.

Snowball client: The Snowball client is software that you install on a local host computer and use to efficiently identify, compress, encrypt, and transfer data from the directories you specify to a Snowball.

Client OS for install copy tool

Windows 64 bit, windows 7 or later

Windows
Mac
Linux

Example copy process

How do I transfer my data disks?

The first step when importing data using the Azure Import/Export service is prepare the copy machine:

How do I transfer my data to the Snowball appliance?When you connect the Snowball appliance to your network and set the IP address using the E Ink display, you'll need to download three things from the AWS Management Console:

Snowball client: The software tool that is used to transfer data from your on-premises storage to the Snowball appliance. For more information on the Snowball client, see the Tools page.

After you launch the client and provide this information, the client is now connected to the Snowball appliance and is ready for use. Next you'll need to identify the file directories you want to transfer to the appliance and then wait for the transfer to complete. A sample Copy command is below:

In short,if you have ameeting with a clientandhe claims that Amazon has no complex procedure to copy data and everything is automatic, then now you know it's not true. Amazon needs some manual and pre-process procedure before start to copy data.

Configure your proxy server

Configure AADSYNC

You have to configure proxy settings on internet explorer for service user, you can do that in this way:runas /user:domain\serviceuser "control.exe inetcpl.cpl"

If you continue to have problem after configure Internet Explorer then you must configure machine.config in .NET45 FrameworkC:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.configAdd this section to bottom of file, be aware it's case sensitive:

]]>https://blogs.technet.microsoft.com/ripom/2014/12/12/how-to-move-whole-ou-subtree-bringing-gpo-and-gpo-link-from-source-forest-to-destination-forest/feed/0How to add second user to Windows User Local Profilehttps://blogs.technet.microsoft.com/ripom/2014/12/03/how-to-add-second-user-to-windows-user-local-profile/
https://blogs.technet.microsoft.com/ripom/2014/12/03/how-to-add-second-user-to-windows-user-local-profile/#respondWed, 03 Dec 2014 06:26:04 +0000https://blogs.technet.microsoft.com/ripom/2014/12/03/how-to-add-second-user-to-windows-user-local-profile/ATTENTION: this procedure could be not supported, then If you modify registry entry, you are doing at your own risk.When I afford a domain consolidation and than a Windows migration, many times I got request from clients to allow new migrated user (second user) to allow access to previous Windows User Local Profile.Normally I get this gol by ADMT, when I do Security Translation I use ADD mode on User Profile, but some clients asked me to do it without ADMT and just use a script.I did reverse engineering about ADMT and I found these steps.Assume Windows Operating System is Windows 7 and source user is sourcedomain\j9999 and target user is targetdomain\j99991. Logon on workstation with sourcedomain\j9999 user2. Browse c:\users directory and find user profile folder j9999 and click right click on Properties3. Then click on Security Tab and then on Advanced button4. Add full control to user targetdomain\j9999 and apply to Replace all child object permission…5. Open regedit and select HKEY_CURRENT_USER6. Right click on Permission and add full control to user targetdomain\j99997. Logoff and logon with local administrator user, or runas regedit with different user8. Copy the follow Registry Key changing these parameters:

]]>https://blogs.technet.microsoft.com/ripom/2014/09/22/come-aggiornare-dpm-2012-sp1-alla-versione-2012-r2/feed/0DirectAccess and get website by internal proxyhttps://blogs.technet.microsoft.com/ripom/2014/07/25/directaccess-and-get-website-by-internal-proxy/
https://blogs.technet.microsoft.com/ripom/2014/07/25/directaccess-and-get-website-by-internal-proxy/#commentsFri, 25 Jul 2014 05:53:00 +0000https://blogs.technet.microsoft.com/ripom/2014/07/25/directaccess-and-get-website-by-internal-proxy/I have some clients must use internal proxy to access to some websites (security rules).

When they use DirectAccess client outside corporate network, they have problem to access to those websites.

If you are in the same situation, How can you resolve it?

You need to edit Name Resolution Policy Table (NRPT) on DirectAccess (DA) server by using powershell cmdlet.

then you can must check DNS name resolution and client PROXY configuration.

If those following statement ore true:

correctly resolve URL directaccess.yourdomain.com

don't need proxy and proxy configuration is disabled

firewall, between your client and directaccess server is correctly configured

then your should check this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr, if you can see any sub-Keys below ProxyMgr key then delete the whole ProxyMgr key and restart your DirectAccess client.

Second cause

Status Connecting and Direct Access does working

Check your company DNS server zone for Directaccess-WebProbeHost.yourcompany.local entry and if it missing then create the entry with DirectAccess server internal IP (use VIP if you have NLB)